Phishing Assessments - A Simple, Anonymous and Free Approach

October 12, 2012

Phishing

Security Awareness Planning Kit

Phishing assessments are a powerful way to not only measure the awareness of an organization, but to reinforce key learning objectives. Nothing is more powerful then when people click on a link and then get instant feedback they just fell victim to a test, and then learn more about what phishing is and how they could have detected this was an attack. There are now a number of commercial and open source tools out there to help you run your own phishing assessment, which are listed as part of the STH Phishing Assessment Planning Kit. However today I wanted to cover a simpler approach to awareness assessments, one that has the advantage of being both anonymous and free. Last week I was teaching the SANS MGT 433 course on building high-impact awareness programs. One student brought up a challenge they had with awareness assessments, both legal and unions were blocking the assessments as they could violate employees' privacy. They did not want management to know the names of who fell victim, nor did they want peoples' career impacted. One of the solutions we discussed is using a URL shortener for your awareness program, such as http://goo.gl. The idea is when creating your phishing email, you use a shortened link in the email (click on image to see what I'm talking about). There are some advantages here.

URL shorteners track and report how many people clicked on the link. They are pretty intelligent on how they do the tracking. So if you click on the link ten times from the same computer, it only counts as one unique hit. As such, the results are pretty accurate.

If your organization is concerned about privacy issues, then this approach addresses those issues as you cannot track who the victims were, only the number. Privacy / anonymity is protected.

You can't beat the price, its free.

If you do use a URL shortener, make sure you use one that protects the privacy of the results, you do not want the URL history publicly available.

Obviously there are disadvantages. For example, you will not be able to track who clicked on the link, or even which department. In addition professional phishing software often provides more in-depth details, such as OS/Email/Browser version of every victim, and perhaps if they have any vulnerabilities. Finally you do not have more advanced attack options, such as tracking open attachments. However, even with all these limitations in mind, if you need a solution that is simple, anonymous, and/or free I recommend you consider this option.

About the Author

Lance Spitzner

Director, SANS Security Awareness

Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.